Opinion | N.S.A. Official: We Need to Prepare for the Future of War
The third implication of the digital revolution is that the balance between government and the private sector will be altered in a profound way. That in turn is the inescapable product of three factors: cybervulnerability affecting every element of the private sector (no longer are targets arguably limited to military assets), the general flood of data unleashed by the digital revolution that will be created in the hands of private enterprise and a response to a rising China whose strategic technology goals pose a unique threat that directly implicates the private sector.
Even without considering the challenges presented by China, there are at least two, related manifestations of how the government-private sector balance has changed and will change. First, the government no longer possesses the lead in complex technology, at least in many areas relevant to national security. Arguably, the most powerful computing and sophisticated algorithm development now occurs not in the Pentagon or the N.S.A. but in university research labs and in the Googles and Amazons of the commercial world. (To be sure, the government still maintains its superiority in important areas ranging from nuclear energy to cryptography.) Even apart from the issue of which sector has the technological edge, there is the simple fact that the digital revolution has brought astonishing capabilities to anyone who has a smartphone, who can now download a facial recognition app, a malicious cybertool or some other capability that formerly was the exclusive province of government.
Second, the private sector will have many more times the quantity of data about individuals and commercial activity than governments could ever obtain. The larger antivirus vendors, with their sensors connected to their global corporate clients, already know more at any given moment about the state of networks around the world than does any government agency. Businesses in the services, retailing, industrial and other sectors will have more global sensors and applications detecting cybertraffic, collecting behavioral patterns, amassing personal data and so on, than even the most surveillance-oriented nation could ever hope to have. The fact that private satellite imagery companies have displaced the monopoly that the National Geospatial-Intelligence Agency used to have is merely a harbinger of how the private sector will be the collector and repository of key information about our locations, our consumption patterns, our communications — in short, about everything.
As the owners of physical infrastructure learned following the Sept. 11 terrorist attacks, when our everyday lives rely on the security of assets and services held in the private sector, commercial owners will be expected to take steps to protect society. We are clearly witnessing the same imbuing of social responsibility into how the digital revolution’s data will be handled. Personal data needs to be safeguarded so that it does not fall into the wrong hands, it needs to be made accurate so that incorrect results are not generated from its use, and it needs to be used in ways that do not violate our notions of privacy and proper use. Those are not duties originating within the commercial world but will be increasingly imposed by society.
As for the safeguarding, many would argue that governments cannot and should not be relied on to prevent and defend against every cyberthreat to the private sector, even from a nation-state; such threats are not the same as an armed attack. But that leaves the private sector frustrated and underdefended — hacking back is often impossible and generally illegal.
National security agencies will need to defuse that frustration and find an effective path for collaboration with the private sector to mitigate cyberthreats. The only practical solution is for the private sector to assume a greater burden in this area, but with the active support of the national security agencies. We are still struggling to find an effective solution to the competing desires for the private sector to obtain classified information about cyberthreats and for government to obtain detailed information about cyberintrusions into corporate networks. Both sides have legitimate reasons to keep their information secret. But ultimately we all realize that will not yield an effective outcome. Attribution solutions will require the private sector to be more forthcoming about network breaches. Indeed, the private sector should have a greater responsibility to collect, analyze and retain all this new data and to make it available with appropriate safeguards to the government for national security purposes. But even safeguards will not completely allay a variety of privacy and liability concerns.
Until recently, at least in the United States, our notions of privacy have been rooted in the Fourth Amendment’s delineation of the federal government’s powers vis-à-vis the individual citizen. But what do our notions of privacy mean anymore when Amazon, Google, Apple, Microsoft, Facebook and so on already know so much about you? We now see increasing pressure in Congress to regulate in this area. To be sure, this article is not advocating any particular approach (much less suggesting greater surveillance powers), but it is hard to escape the conclusion that we will need to recalibrate the balance in this area of data privacy between the government and the private sector.
Gloss